Transcription
PaperCut Xerox Secure AccessManualContents12Overview . 31.1Consistency: . 31.2Integration: . 31.3Rate of development: . 31.4Vendor Neutral: . 31.5Security: . 3Installation . 42.1Xerox Device Compatibility . 42.2Requirements. 42.3Card Reader support . 52.3.1Network Card Readers . 52.3.2USB Card Readers . 52.1EFI Fiery Network Controller Support . 62.2Setup Procedure – 7655 etc . 72.2.1Introduction . 72.2.2Networking/Firewall Configuration . 72.2.3Enable the HTTPS/SSL protocol . 72.2.4Enable SNMP v3 support . 82.2.5Configure the Network Accounting Options . 92.2.6Create/setup the Xerox device in PaperCut . 112.2.7Enable Xerox Secure Access Authentication. 122.2.8(Optional) Additional Network Security . 172.33Setup Procedure – 7345, etc . 182.3.1Introduction . 182.3.2Networking/Firewall Configuration . 182.3.3Enable the HTTPS/SSL protocol . 182.3.4Enable SNMP v3 support . 182.3.5Configure the Network Accounting Options . 192.3.6Create/setup the Xerox device in PaperCut . 202.3.7Enable Xerox Secure Access authentication . 212.3.8(Optional) Enable network card reader . 222.3.9(Optional) Additional Network Security . 22Post-install testing . 24Copyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.1 of 38
PaperCut –Xerox Embedded Manual4562015-02-173.1Test Preparation . 243.2Scenario 1: Standard copying . 253.3Scenario 2: Copying with account selection . 263.4Scenario 3: Print release . 273.5Scenario 4: Scanning and faxing . 28Configuration . 304.1Device Function . 304.2Authentication Methods . 304.3Configuring Swipe Card Readers . 314.4Single Sign On (SSO) . 32Known Limitations and Security . 325.1Zero Stop . 325.2Fax Tracking . 325.3User Interface . 335.4Bypassing the System . 345.5Card Reader support for authentication. 34Advanced Configuration . 346.1Config Editor . 346.2Setting an explicit PaperCut Server Network Address . 357How it works . 378FAQ & Troubleshooting . 37Copyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.2 of 38
PaperCut –Xerox Embedded Manual2015-02-17This manual covers Xerox Secure Access setup. For general PaperCut MFdocumentation, please see the PaperCut MF manual.1OverviewThis manual provides an overview of the installation, configuration and operation ofPaperCut’s embedded software MFD (Multi-Function Device) solutions. Today’sMFDs are smarter – they have touch screens and offer the ability to run applicationsdirectly on the device. The goal of PaperCut Software’s embedded MFD solution isto leverage these smart devices and to provide walk-up copier users with the sameset of rich application features provided in the print control area. These include: End user authentication including integration with single sign-on environmentsMonitoring and control of photocopying, scanning and faxing (quotas,charging, allocation and logging)Allocation of copying, scanning and faxing to accounts/departments/costcenters/projectsRelease jobs from a hold/release queue (secure printing)Group based access control: Limit access to the device to members ofselected user groups.Highlights of the embedded solution include:1.1 Consistency:The embedded solutions are developed in-house by the PaperCut Softwaredevelopment team. This ensures that the copier interface is consistent with theworkstation print interface, meaning users only have to learn one system.1.2 Integration:PaperCut is a single integrated solution where print, internet and copier control are allmanaged in the one system. Users have a single account and administrators havethe same level of reporting and administration for all services. The embeddedsolution interacts with the PaperCut server using a Service Oriented Architecture(SOA) and web services based protocols.1.3 Rate of development:PaperCut is developed under a release-often policy where new features are madeavailable to users as soon as they are complete. Unlike hardware based solutions,new versions can be delivered to users regularly as software updates.1.4 Vendor Neutral:PaperCut remains true to its vendor neutral stance. All embedded solutions areequal and support all server OS’s including Windows, Linux and Mac.1.5 Security:A large percentage of PaperCut’s user base is in Education environments wheresecurity is important. All embedded solutions are developed with security in mind.Where security objectives can’t be satisfied, any deficiencies are fully disclosed.Copyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.3 of 38
2 InstallationThis section covers the installation of the PaperCut embedded application forcompatible Xerox devices. The embedded application will allow the control, loggingand monitoring of walk-up off-the-glass MFD usage and may serve as a print releasestation for network prints (for information on just tracking network printing see thePaperCut user manual).2.1 Xerox Device CompatibilityThis document covers devices that support the devices that support Xerox SecureAccess feature. Xerox Secure Access (XSA) allows the MFP to communicate withthe PaperCut server to authenticate users to use the MFP device.For recent Xerox MFP’s that support the Extensible Interface Platform version2 or higher, we recommend that you instead use the PaperCut embeddedapplication for Xerox Secure Access EIP2.Most recent Xerox MFPs will support the Xerox Secure Access feature. This can beverified by checking for the “Xerox Secure Access” function in the deviceauthentication options on the device web interface.The list of devices that support Xerox Secure Access can be found on the followingpage (click on the “Compatible Products” tab tions/xerox-secure-access/enus.htmlTo track the device usage the Xerox Network Accounting module must also beenabled (Network Accounting is also known as JBA accounting). The “NetworkAccounting” module is often included with the device, but for some devices it isnecessary to have this enabled by your Xerox supplier. Please contact your Xeroxsupplier for details.Secure print release and find-me printing is also supported on Xerox devices. Theadministrator has the option to automatically release all pending jobs when the userlogs in, or of giving the user the option to release these documents at the time oflogin.NOTE: The FujiXerox devices available in the Asia-Pacific region do not supportXerox Secure Access. These devices can instead make use of the NetworkAccounting features to control access to the copier. See the PaperCut XeroxNetwork Accounting Embedded manual for information.2.2 RequirementsEnsure that the following points are checked off before getting started: PaperCut is installed and running on your network. Please see the‘Introduction - Quick Start Guide’ section of the PaperCut user manual forassistance.Your Xerox MFD requires support for the “Xerox Secure Access”authentication method.Your Xerox MFD requires that the “Network Accounting” is installed/enabledincluding off-box authentication support. (Network accounting is also knownas JBA accounting.) You may need to contact Xerox to enable thisfunctionality.Copyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.4 of 38
PaperCut –Xerox Embedded Manual 2015-02-17Have available the network name and IP address of the system runningPaperCut (e.g. the print server).Ensure that the Xerox MFD is connected to the network.Have available the network address of the Xerox MFD. It is recommendedthat the MFD is configured with a static IP.2.3 Card Reader supportPaperCut supports using swipe card for authentication at the copier. This is oftenmore convenient than entering username/password or ID/pin numbers to login.Xerox devices can support 2 general classes of card readers: Network card readers (i.e. not physically connected to the MFP. ThePaperCut server communicates with these over the network)USB card readers (some recent Xerox devices with updated firmware nowsupport a limited number of USB card readers – contact Xerox for details).The Network Card Reader option will work with any Xerox device supporting “XeroxSecure Access”.2.3.1 Network Card ReadersNetwork card readers may be used on any Xerox device. PaperCut supports twocost effective network card readers: Elatec TWN3 with the TCP ConverterRFIdeas Ethernet card readersThese readers are available directly from the card reader distributors and PaperCutAuthorized Solution Centers in your region.These network card readers are located on the MFP device and are connected to thenetwork. When a user swipes their card at the reader the card number is sent to thePaperCut server for validation. If the card number is valid the user will be grantedaccess to the MFP.2.3.2 USB Card ReadersXerox updated their platform in late 2011 to support USB card readers through XeroxSecure Access. At the present time (April 2012) only a subset of current devicessupport USB card readers and they may require firmware upgrades, and include: ColorQube 9301/9302/9303 (firmware 061.180.221.31500 and above)WorkCentre 5735/5740/5745/5755/5765/5775/5790 (firmware061.132.222.03800 and above)WorkCentre 7525/7530/7535/7545/7556 (firmware 061.121.221.29800 andabove).The following card readers are supported by Xerox: Proximity card readers – RFIdeas, Elatec TWN3, HID OmniKey 525/5325Magstripe card readers – Magtek and “IDTech MiniMag”Copyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.5 of 38
PaperCut –Xerox Embedded Manual2015-02-172.1 EFI Fiery Network Controller SupportThe configuration of an EFI Fiery Network Controller with the Xerox MFP’s controlleris also supported for this embedded solution. To ensure it works, however, it isnecessary to use the same xadmin username/password on the Fiery controller as theXerox MFP. This will ensure that the SNMP v3 messages will be forwarded from theFiery controller onto the Xerox MFP; if this is not done then you will likely see errormessages of the form: “Unable to discover SNMPv3 Engine ID of Xerox device”.Copyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.6 of 38
PaperCut –Xerox Embedded Manual2015-02-172.2 Setup Procedure – 7655 etc2.2.1 IntroductionThis procedure describes the process of setting up Xerox Secure Access on newermodels such as Xerox 7655. The specific steps, screen layouts and button/labelnames can differ between device models. However the general process is the samefor all supported devices.NOTE The screens and menus shown in this document differ between devicemodels. The menus may be located and named slightly differently on differentdevices. See section 2.5 for prior models.2.2.2 Networking/Firewall ConfigurationEnsure that your networking/firewall configuration allows: inbound connections from the Xerox devices to the PaperCut server on ports9191 and 9192.outbound connections from the PaperCut server to the Xerox device on ports80 and 443.2.2.3 Enable the HTTPS/SSL protocolXerox Secure Access requires the use of HTTPS/SSL for communications. This mustbe enabled before completing any of the subsequent steps.This involves generating an SSL certificate for the device:1. Login to the device’s web admin.2. Navigate to Properties- Security- Machine Digital Certificate Management3. Press "Create New Self Signed Certificate".4. Complete the required information5. Press Apply.Now enable the HTTP/SSL/TLS protocol:Copyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.7 of 38
PaperCut –Xerox Embedded Manual2015-02-171. Navigate to Properties- Connectivity- Protocols- HTTP2. Enable the "Secure HTTP (SSL)" option3. Press Apply2.2.4 Enable SNMP v3 supportThe Xerox Secure Access feature is configured by PaperCut using SNMP v3. Thisprotocol must be enabled before configuring the Xerox device in PaperCut.1. Login to the device’s web admin.2. Navigate to Properties - Connectivity - Protocols - SNMP Configuration.3. Enable the SNMP v3 option and press "Apply".4. Go back to the SNMP page and press the "Edit SNMP v3 properties" button.5. Enable the "Administrator" account.Copyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.8 of 38
PaperCut –Xerox Embedded Manual2015-02-176. Enter the authentication and privacy passwords. Take note of this and theusername (usually “Xadmin”) as these will be required later with theconfiguration of the device in PaperCut.7. Press Apply to save the changes.2.2.5 Configure the Network Accounting OptionsThe following Network Accounting options should be changed to integrate with XeroxSecure Access:1. At the copier, Press the Login/Out button2. Login with the following account information:Username: adminPassword: 11113. Press the Machine Status buttonCopyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.9 of 38
PaperCut –Xerox Embedded Manual2015-02-174. Select the Tools tab at the top5. Select Accounting button on the left6. Select Accounting Mode on the right panel7. Select the Network Accounting button on the left8. Then select Code Entry Validation on the rightCopyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.10 of 38
PaperCut –Xerox Embedded Manual2015-02-179. Select Disabled on the Code Entry Validation screen and press Save10. Press Save then press the LogOut/In button to LogoutOnce these settings are changed you might need to reboot the Xerox for them tohave an effect. The device usually prompts you when a reboot is required.2.2.6 Create/setup the Xerox device in PaperCut1. Log in to the PaperCut administration interface using a web browser (e.g.http://papercut-server:9191/admin ).2. Navigate to ‘Options - Advanced’ and ensure the option ‘Enable externalhardware integration’ is enabled.3. Press ‘Apply’.4. Navigate to the ‘Devices’ tab.5. Click “Create Device” action from the left.Copyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.11 of 38
PaperCut –Xerox Embedded Manual2015-02-176. Select the "Xerox (Xerox Secure Access)" device type.7. Enter a descriptive name for the device under “Device name”.8. Enter the Xerox device’s IP address under “Hostname/IP”.9. Optionally enter location/department information.10. Enter the admin username and password and privacy password (thoseentered in the SNMPv3 settings on the MFP). NOTE: The username is casesensitive and is usually “Xadmin”.11. Under “Function” tick the options you would like to enable. E.g. “Track &control copying”.12. Click “OK”.At this point PaperCut should try to connect to the device to configure various optionsover SNMP. The page displayed after the device is created displays the devicestatus. If there are problems communicating with the device then the status will showan error message. Press the "Refresh" link next to the status to see if the status isupdated.2.2.7 Enable Xerox Secure Access AuthenticationAt this point the Xerox Secure Access can be enabled:1. Login to the device’s web admin.2. Navigate to Properties- Security- Authentication Configuration.3. Select Next.Copyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.12 of 38
PaperCut –Xerox Embedded Manual2015-02-174. Change Device User Interface Authentication to Xerox Secure Access andpress Next5. Click on Configure for Device User Interface AuthenticationCopyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.13 of 38
PaperCut –Xerox Embedded Manual2015-02-176. Click on Manually Override Settings7. Verify that the correct PaperCut Server IP Address is listed8. Change Log In Methods to Xerox Secure Access alternate on-screenauthentication method9. Change Accounting Information to Automatically apply Accounting Codesfrom the server then press SaveCopyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.14 of 38
PaperCut –Xerox Embedded ManualCopyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.2015-02-1715 of 38
PaperCut –Xerox Embedded Manual2015-02-1710. Change the Services Pathway setting to Locked. This locks access to thecopier functions unless the user is logged inNOTE: On newer devices the Pathway Options screen may look differentCopyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.16 of 38
PaperCut –Xerox Embedded Manual2015-02-17such as the screen belowYou may need to reboot the device for the settings to take effect.Once the device is rebooted the device should display a screen to login. Performtesting and verify you can login and that copies are tracked by PaperCut.2.2.8 (Optional) Additional Network SecurityThe MFP communicates with the PaperCut server over the network (e.g. toauthenticate users or release print jobs). To provide an additional level of security,PaperCut may be configured to only allow device connections from a restricted rangeof network addresses. This ensures that only approved devices are connected to thePaperCut server.By default PaperCut will allow device connections from any network address. Torestrict this to a subset of IP addresses or subnets:1. Logon to the PaperCut administration web interface at http:// papercutserver :9191/admin2. Go to the Options Advanced tab and find the “Security” section.3. In the “Allowed device IP addresses” field enter a comma-separated list ofdevice IP addresses or subnets (in the format ip-address / subnet-mask ).4. Press the “Apply” button.5. Test the devices to ensure they can continue to contact the PaperCut server.Copyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.17 of 38
PaperCut –Xerox Embedded Manual2015-02-172.3 Setup Procedure – 7345, etc2.3.1 IntroductionThis procedure describes the process of setting up Xerox Secure Access on olderdevices such as a Xerox 7345. The specific steps, screen layouts and button/labelnames can differ between device models. However the general process is the samefor all supported devices.NOTE 1: The screens and menus shown in this document differ between devicemodels. The menus may be located and named slightly differently on differentdevices.2.3.2 Networking/Firewall ConfigurationEnsure that your networking/firewall configuration allows: inbound connections from the Xerox devices to the PaperCut server on ports9191 and 9192.outbound connections from the PaperCut server to the Xerox device on ports80 and 443.2.3.3 Enable the HTTPS/SSL protocolXerox Secure Access requires the use of HTTPS/SSL for communications. Thismust be enabled before completing any of the subsequent steps.This involves generating an SSL certificate for the device:1.2.3.4.Login to the device’s web admin.Navigate to Properties- Security- Machine Digital Certificate ManagementPress "Create New Self Signed Certificate".Leave default options and press "Apply"Now enable the HTTP/SSL/TLS protocol:1.2.3.4.5.6.7.Navigate to Properties- Security- SSL/TLS SettingsEnable the "HTTP – SSL / TLS Communication" optionVerify that the “Verify Remote Server Certificate” option is Disabled.Press ApplyNavigate to Properties- Connectivity- Protocols- HTTPEnable the "Secure HTTP (SSL)" optionPress Apply2.3.4 Enable SNMP v3 supportThe Xerox Secure Access feature is configured by PaperCut using SNMP v3. Thisprotocol must be enabled before configuring the Xerox device in PaperCut.1.2.3.4.5.Login to the device’s web admin.Navigate to Properties- Connectivity- Protocols- SNMP Configuration.Enable the SNMP v3 option and press "Apply".Go back to the SNMP page and press the "Edit SNMP v3 properties" button.Enable the "Administrator" account.Copyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.18 of 38
PaperCut –Xerox Embedded Manual2015-02-176. Enter the authentication and privacy passwords. Take note of this and theusername (usually “Xadmin”) as these will be required later with theconfiguration of the device in PaperCut.7. Press Apply to save the changes.2.3.5 Configure the Network Accounting OptionsThe following Network Accounting options should be changed to integrate with XeroxSecure Access: Login to the device web admin.Navigate to Properties- Accounting- Accounting Configuration.Change the Accounting Type to: Network Accounting.Set the "Verify User Details" setting to "Off".IMPORTANT: Set "Customize User Prompts" to "Display User ID & AccountID Prompts". If both “prompts” are not enabled, jobs may not be trackedproperly. Press the "Apply" button.Copyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.19 of 38
PaperCut –Xerox Embedded Manual2015-02-17Once these settings are changed you might need to reboot the Xerox for them tohave an effect. The device usually prompts you when a reboot is required.2.3.6 Create/setup the Xerox device in PaperCut13. Log in to the PaperCut administration interface using a web browser (e.g.http://papercut-server:9191/admin ).14. Navigate to ‘Options - Advanced’ and ensure the option ‘Enable externalhardware integration’ is enabled.15. Press ‘Apply’.16. Navigate to the ‘Devices’ tab.17. Click “Create Device” action from the left.18. Select the "Xerox (Xerox Secure Access)" device type.19. Enter a descriptive name for the device under “Device name”.20. Enter the Xerox device’s IP address under “Hostname/IP”.21. Optionally enter location/department information.22. Enter the admin username and password and privacy password (thoseentered in the SNMPv3 settings on the MFP). NOTE: The username is casesensitive and is usually “Xadmin”.23. Under “Function” tick the options you would like to enable. E.g. “Track &control copying”.24. Click “OK”.At this point PaperCut should try to connect to the device to configure various optionsover SNMP. The page displayed after the device is created displays the deviceCopyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.20 of 38
PaperCut –Xerox Embedded Manual2015-02-17status. If there are problems communicating with the device then the status will showan error message. Press the "Refresh" link next to the status to see if the status isupdated.2.3.7 Enable Xerox Secure Access authenticationAt this point the Xerox Secure Access can be enabled:1. Login to the device web admin.2. Navigate to Properties- Security- Authentication Configuration.3. Set the Login Type to "Xerox Secure Access".4. Press "Apply" to save the settings.5. In Properties- Security- Authentication Configuration, press the "Next" buttonand then the "Device Access" button.6. Change the "All Services Pathway" setting to "Locked". This locks access tothe copier functions unless the user is logged in.7. Navigate to Properties- Security- Remote Authentication Servers- XeroxSecure Access Settings.8. Enable the "Local Login" option. (On some devices this option is called“Allow Local Interface Initiation”)Copyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.21 of 38
PaperCut –Xerox Embedded Manual2015-02-179. Enable the "Get Accounting Code" option. (On some devices this is option iscalled “Accounting codes provided by server”).10. Press the "Apply" Button.You may need to reboot the device for the settings to take effect.Once the device is rebooted the device should display a screen to login. Performtesting and verify you can login and that copies, etc are tracked by PaperCut.2.3.8 (Optional) Enable network card readerThis section describes how to configure a network card reader for authentication atthe MFP. For more information on the supported card readers see Section 2.3 CardReader support.To enable the network card reader:1. Log in to the PaperCut administration interface using a web browser (e.g.http://papercut-server:9191/admin ).2. On the “Devices” tab, select the MFP device.3. Under the “Authentication Methods” option, enable the “Swipe Card”authentication option.4. Select the “Enable network card reader” option.2.3.9 (Optional) Additional Network SecurityThe MFP communicates with the PaperCut server over the network (e.g. toauthenticate users or release print jobs). To provide an additional level of security,PaperCut may be configured to only allow device connections from a restricted rangeof network addresses. This ensures that only approved devices are connected to thePaperCut server.By default PaperCut will allow device connections from any network address. Torestrict this to a subset of IP addresses or subnets:Copyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.22 of 38
PaperCut –Xerox Embedded Manual2015-02-176. Logon to the PaperCut administration web interface at http:// papercutserver :9191/admin7. Go to the Options Advanced tab and find the “Security” section.8. In the “Allowed device IP addresses” field enter a comma-separated list ofdevice IP addresses or subnets (in the format ip-address / subnet-mask ).9. Press the “Apply” button.10. Test the devices to ensure they can continue to contact the PaperCut server.5. Enter the network address and the port of the network card reader.6. Press “OK” or “Apply” to save the changes.7. At this point PaperCut will establish the connection to the card reader. Thestatus of the connection to the network card reader is displayed below thesettings. If there is a problem connecting to the card reader any errors will bedisplayed here.Copyright 2015 PaperCut Software International Pty. Ltd., All Rights Reserved.23 of 38
PaperCut –Xerox Embedded Manual2015-02-173 Post-install testingAfter completing installation and basic configuration it is recommended to performsome testing of the common usage scenarios. This important for two reasons:1. To ensure that the embedded application is working as expected2. To familiarize yourself with the features and functionality of PaperCut and theembedded application.This section outlines four test scenarios that are applicable for most organizations.Please complete all the test scenarios relevant for your site.3.1 Test PreparationTo complete these tests it is recommended you use two test users so that each canbe configured di
PaperCut user manual). 2.1 Xerox Device Compatibility This document covers devices that support the devices that support Xerox Secure Access feature. Xerox Secure Access (XSA) al
